Background

Target Eye Monitoring System, which I have developed 12 years ago, was probably the first surveillance and monitoring tool for capturing activity of remote computers. The following description is taken from the original Business Plan of this venture:

Target Eye is a start-up company whose mission is to develop integrated software solutions for real-time monitoring of remote PCs, which are based on the company’s patent pending technologies (60/204,084 and 60/203,832). Our major product, Target Eye Monitoring System, is a software product that can continuously track, record, playback, analyze and report any activity performed on one or multiple remote PCs, in a way which is undetectable by their users. The software relies on a stream of rapidly captured, compressed full-screen images and continuous keystroke capturing to provide a comprehensive and accurate account of user activities, including local activities which do not generate any network traffic. In this way, the software can track and record activities, which are undetectable by systems relying on network traffic analysis. A smart agent module running on the monitored PCs uses a rule base to send alerts to the monitoring location(s) or perform pre-defined local operations. Monitoring can be performed from multiple locations. Major markets are law-enforcement.

The Shopping List Mechanism ™

Target Eye Monitoring System has a unique mechanism for bi-directional files requests from the monitored computer. Using the Shopping List Mechanism ™ , the operator can define requests as for which criteria to be used, and then, to modify these requests on the fly.

What is the Shopping List

The Shopping List is in fact, a file, managed manually by the Operator, and the Secret Agent.

The Operator defines the queries, and then manipulate and edit them, as well as their results, while the Secret Agent execute them and marks which one of the requested files we sent.

The Shopping List is constantly updated by the Secret Agent, and as a result, it can be used to get an updated view of the operation activity.

The Shopping List Naming Structure

In order of doing so, the Shopping List file is placed on the Server, and can be identified by it's unique naming structure.

<OperationID><AgentID><ShoppingList Alias>

For example:

If the OperationID is “SECRET00” and the AgentID is “IBM000000001”, and provided that the Shopping List Alias is “files.txt”, you will get:

SECRET00IBM000000001-files.txt

The Shopping List Query Structure

There are different types of entries which can be part of the Shopping List.

A Single Request

When the Operator needs a specific file, knowing it's exact location, a Single Request is used.

For example

To request the file 'autoexec.bat' located in C:\ the request would be:

[ ] c:\autoexec.bat

and after successful execution of this request, the entry will be:

[X] c:\autoexec.bat

or alternatively, in case of failure (for example: if there is no such file), the entry will be:

[!] c:\autoexec.bat

A Simple Query

When the Operator needs all files of a certain type, with or without specific name, a Simple Query is used. Such query will always start with [Q] and will use SQL syntax to define the criteria.

For example

To request all DOC files containing the word 'spy', in any place in the monitored computer, the entry will be:

[Q] *spy*.doc

As a result, the Secret Agent might, for example, find the following files, and the operator will see the following entries added:

Other actions on files

Files specified or found as a result of a query can not only be copied, but also deleted.

Deleting a file

When the Operator wishes to delete a single or several files, with or without specific name, a Simple Delete Query is used. Such query will always start with [D] and will use the Shopping List syntax to define the criteria.

For example

To request all DOC files containing the word 'spy', in any place in the monitored computer, the entry will be:

[D] *spy*.doc

will delete all Word documents with the string "spy" as part of their names.

Shopping List Mechanism -Shopping List Query

This is where a list of initial queries is entered. You can enter a number of queries, one after the other.

Shopping List Mechanism - Encrypt Shopping List on the Server

When this checkbox is checked, the Shopping List file will be encrypted on the Server. When it is unchecked, it is possible to use the Explorer to modify and edit this file on the fly, while getting faster results from the Secret Agent. For example: adding a new query. When the file is encrypted, the Target Eye Decryptor tool is required to make any changes.

Shopping List Mechanism - Ignore Files Larger Than

When this checkbox is checked, the amount of MB indicated bellow, are the higher limit of files that will be sent to the Server. Files which are larger than that size will be ignored.

Shopping List related settings

The Target Eye had a Compiler that was used along the evolution of the application to customize the "Secret Agent' part based on predefined and dynamically changed settings.

Performing Fast Files Searches

While developing Target Eye I checked many methods for performing mass searching in a computer. The purpose was to find a way to search for thousand of files in seconds, scanning all drive letters, and building a list of results.

The FindFile class by Louka Dlagnekov seems to be an excellent solution. It works really fast and is reliable. I have enhanced it to filter the search queries for the last file access data (for example, searching for all .doc files from the last 30 days, was done using the query:

[Q] -d30 *.doc

Unless specified otherwise, and due to the nature of Target Eye to gather information, a query is executed while searching all drive letters and all folders in the monitored PC.

Some Source Code

The best way to explain the Shopping List mechanism is form bottom to top. So when we actually perform the search it looks like this:

A Mission - a request to perform an action. There are many possible actions (for example, capturing the screen, as described in an other article of mine). Since the scope of this article is the Shopping List mechanism, the Mission that is associated with the Shopping List could be copy or delete a file.

Target Eye Compiler - The tool that is used by the Target Eye Operator to customize a Secret Agent for performing specific tasks.

The following code is taken form the 2004 version of Target Eye. This function is called only when there is no Shopping List already created. After the first time it is created, and from that moment, it will be updated as a result of 2 possible triggers:

Target Eye Secret Agent completes (or fails) in a mission. (client)

Target Eye operator adds or deletes a mission. (server)

The first thing that is done is building the initial query. This query is built according to the settings defined in the Target Eye Compiler. The initial query can be a combination of several queries. For example: the query "*.doc;*.xls" encapsulates two queries; "*.doc" (all files ending with ".doc") and "*.xls" (all files ending with ".xls").

Shopping List Synchronization

Before we bring the source code, I'd like to explain the idea behind the Shopping List synchronization. Since the Shopping List can be updated by both the client (Target Eye Secret Agent) and the server (Target Eye operator), there is a process for synchronizing the changes, so the Secret Agent is being notified about any change made by the operator (for example: if the operator removes a mission to copy a certain file, this file will not be copied), and the operator is being notified of any changes made by the client, namely, being updated about the progress of fulfilling the list of missions given to the Secret Agent. Most of the Shopping List related routines contains a part where the local shopping list is updated (or created) and a part where the shopping list is synchronized so the changes apply to the server version.

TE_BuildInitQuery()

This routine is called when there is no local shopping list yet and it should be built based on the settings defined by the operator.

All materials contained on this article are
protected by International copyright law and may not be used, reproduced,
distributed, transmitted, displayed, published or broadcast without the prior
written permission given by Michael Haephrati and Target Eye LTD. You may not
alter or remove any trademark, copyright or other notice from copies of the
content.

License

Share

About the Author

Michael Haephrati, born in 1964, an entrepreneur, inventor and a musician. Haephrati worked on many ventures starting from HarmonySoft, designing Rashumon, the first Graphical Multi-lingual word processor for Amiga computer.

Worked with Amdocs and managed several software projects, among them one for the Ministry of Tourism in New Zealand. During 1995-1996 he worked as a Contractor with Apple at Cupertino. After returning to Israel, worked as a Project Manager with Top Image Systems (mostly with JCC, Nicosia), and then at a research institute made the fist steps developing the credit scoring field in Israel. He founded Target Scoring and developed a credit scoring system named ThiS, based on geographical statistical data, participating VISA CAL, Isracard, Bank Leumi and Bank Discount (Target Scoring, being the VP Business Development of a large Israeli institute).
During 2000, he founded Target Eye, and developed the first remote PC surveillance and monitoring system, named Target Eye.

Other ventures included: Data Cleansing (as part of the DataTune system which was implemented in many organizations.